Exchange 2007/2010 and anonymous relaying

In every company there are applications, servers or devices which have a requirement to be able to send messages to recipients inside or outside an Exchange 2007 or Exchange 2010 organization.

Normal receive connectors with the right parameters are able give anonymous users (applicaties, servers or devices) to relay inside of the Exchange organization. To enable a receive connector to allow anonymous users to send emails outside of the organization you must give the “Anonymous user” explicit Active Directory rights.

For extra security purposes, I suggest to create two receive connectors that are able to relay messages.

  1. Receive connector for relaying inside the Exchange organization.
  2. Receive connector for relaying outside the Exchange organization.

This way you know which applications, servers or devices are sending e-mails to third parties, you are in control as an Exchange Administrator.

When enabling anonymous access to the receive connector, the anonymous permission group grants the following permissions to the Anonymous Logon security principal on the Receive connector:

  • Ms-Exch-Accept-Headers-Routing
  • Ms-Exch-SMTP-Accept-Any-Sender
  • Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
  • Ms-Exch-SMTP-Submit

If you want to use the Receive connector to send emails outside of your Exchange Organization anonymously, you will need to add the following right to the Anonymous Logon security principal:

  • Ms-Exchange-SMTP-Accept-Any-Recipient

You can create the Receive connector for internal relay with the following Powershell command lines:

New-ReceiveConnector -Name <Name> -Usage Custom -PermissionGroups AnonymousUsers -Bindings <LocalIPAddress:25> -RemoteIpRanges <SourceServer>

For instance:

New-ReceiveConnector -Name ITC-Relay-Internal -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.10.10.10:25 -RemoteIpRanges 10.10.10.20, 10.10.10.30

You can create the Receive connector for external relay with the following Powershell command lines:

New-ReceiveConnector -Name <Name> -Usage Custom -PermissionGroups AnonymousUsers -Bindings <LocalIPAddress:25> -RemoteIpRanges <SourceServer>

Get-ReceiveConnector <name> | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

For instance:

New-ReceiveConnector -Name ITC-Relay-External -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.10.10.10:25 -RemoteIpRanges 10.10.10.40, 10.10.10.50

Get-ReceiveConnector “ITC-Relay-External” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

Be sure to give servers, applications or devices explicit rights to delay, don’t use for instance whole subnets or IP ranges.

Comments

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Missing commandlets in Exchange 2010 SP1?

Next Post

Looking for the current Exchange Server patchlevel?

Related Posts
Total
0
Share